1. 27 Oct, 2023 1 commit
    • David Iglesias's avatar
      [web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204) · 15ccf24d
      David Iglesias authored
      ## Description
      
      This PR adds a `nonce` parameter to flutter.js' `loadEntrypoint` method.
      
      When set, loadEntrypoint will add a `nonce` attribute to the `main.dart.js` script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add `'self'` as a valid source for `script-src`.
      
      ----
      
      ### CSP directive
      
      After this change, the CSP directive for a Flutter Web index.html can be:
      
      ```
      script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
      font-src https://fonts.gstatic.com;
      style-src 'nonce-YOUR_NONCE_VALUE';
      ```
      
      When CSP is set via a `meta` tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: [`worker-src 'self';`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src)
      
      When CSP set via response headers, the CSP that applies to `flutter_service_worker.js` is determined by its response headers. See **Web Workers API > [Content security policy](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy)** in MDN.)
      
      ----
      
      ### Initialization
      
      If the CSP is set to disallow `script-src 'self'`, a nonce needs to also be passed to `loadEntrypoint`:
      
      ```javascript
        _flutter.loader.loadEntrypoint({
          nonce: 'SOME_NONCE',
          onEntrypointLoaded: (engineInitializer) async {
            const appRunner = await engineInitializer.initializeEngine({
              nonce: 'SOME_NONCE',
            });
            appRunner.runApp();
          },
        });
      ```
      
      (`nonce` shows twice for now, because the entrypoint loader script doesn't have direct access to the `initializeEngine` call.)
      
      ----
      
      ## Tests
      
      * Added a smoke test to ensure an app configured as described above starts.
      
      ## Issues
      
      * Fixes https://github.com/flutter/flutter/issues/126977
      15ccf24d
  2. 14 Sep, 2023 1 commit
  3. 14 Jul, 2023 1 commit
    • Pavel Mazhnik's avatar
      [web] remove unnecessary awaits from flutter.js (#130204) · 1c1c273b
      Pavel Mazhnik authored
      Fixed types for `_getNewServiceWorker` and `_waitForServiceWorkerActivation` functions.  
      These functions currently expect a Promise as an argument, but we're actually passing in an already resolved value:
      ```js
      .then(this._getNewServiceWorker)
      .then(this._waitForServiceWorkerActivation);
      ```
      1c1c273b
  4. 21 Feb, 2023 1 commit
    • David Iglesias's avatar
      [tool][web] Makes flutter.js more G3 friendly. (#120504) · a463bb82
      David Iglesias authored
      * Allow any JS file in flutter loader.
      
      * Nag only if service worker API is completely unavailable.
      
      * Add info about Secure Contexts if that may be the reason why serviceworker is not available.
      
      * Update sanity test.
      
      * If service worker settings are null, do not even check if the API is available.
      a463bb82
  5. 10 Feb, 2023 1 commit
  6. 09 Feb, 2023 1 commit
  7. 07 Feb, 2023 1 commit